feat(inception): Zen1/2 IBPB and SMT checks

.github/workflows/autoupdate.yml

@@ -1,34 +0,0 @@
-name: autoupdate
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '42 9 * * *'
-
-jobs:
-  autoupdate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install prerequisites
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip
-      - name: Update microcode versions
-        run: ./spectre-meltdown-checker.sh --update-builtin-fwdb
-      - name: Check git diff
-        id: diff
-        run: |
-          echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
-          echo nbdiff="$(git diff spectre-meltdown-checker.sh | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT"
-          git diff
-          cat "$GITHUB_OUTPUT"
-      - name: Create Pull Request if needed
-        if: steps.diff.outputs.nbdiff != '0'
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ secrets.SMC_PR_PAT }}
-          branch: autoupdate-fwdb
-          commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
-          title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
-          body: |
-            Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
-            Detected ${{ steps.diff.outputs.nbdiff }} microcode changes

.github/workflows/check.yml

@@ -24,7 +24,7 @@ jobs:
         fi
     - name: check direct execution
       run: |
-        expected=19
+        expected=18
         nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
         if [ "$nb" -ne "$expected" ]; then
           echo "Invalid number of CVEs reported: $nb instead of $expected"
@@ -32,11 +32,11 @@ jobs:
         else
           echo "OK $nb CVEs reported"
         fi
-    - name: check docker compose run execution
+    - name: check docker-compose run execution
       run: |
-        expected=19
+        expected=18
-        docker compose build
+        docker-compose build
-        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
         if [ "$nb" -ne "$expected" ]; then
           echo "Invalid number of CVEs reported: $nb instead of $expected"
           exit 1
@@ -45,7 +45,7 @@ jobs:
         fi
     - name: check docker run execution
       run: |
-        expected=19
+        expected=18
         docker build -t spectre-meltdown-checker .
         nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
         if [ "$nb" -ne "$expected" ]; then

README.md

@@ -21,9 +21,7 @@ CVE
 [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes        | MCEPSC, No eXcuses, iTLB Multihit
 [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543)   | Special Register Buffer Data Sampling               | SRBDS
 [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling                                | GDS, Downfall
-[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security                             | Inception, RAS, SRSO
 [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak                      | Zenbleed
-[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix issue                              | Reptar
 
 Supported operating systems:
 - Linux (all versions, flavors and distros)
@@ -76,13 +74,10 @@ sudo ./spectre-meltdown-checker.sh
 #### With docker-compose
 
 ```shell
-docker compose build
+docker-compose build
-docker compose run --rm spectre-meltdown-checker
+docker-compose run --rm spectre-meltdown-checker
 ```
 
-Note that on older versions of docker, `docker-compose` is a separate command, so you might
-need to replace the two `docker compose` occurences above by `docker-compose`.
-
 #### Without docker-compose
 
 ```shell
@@ -192,20 +187,8 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
    - Mitigation: either microcode update or disabling AVX feature
    - Performance impact of the mitigation: TBD
 
-**CVE-2023-20569** Return Address Security (Inception)
-
-   - Impact: Kernel & all software
-   - Mitigation: updated kernel & microcode
-   - Performance impact of the mitigation: low to significant depending on the mitigation
-
 **CVE-2023-20593** Cross-Process Information Leak (Zenbleed)
 
    - Impact: Kernel & all software
    - Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation
    - Performance impact of the mitigation: TBD
-
-**CVE-2023-23583** Redundant Prefix issue (Reptar)
-
-   - Impact: All software
-   - Mitigation: microcode update for the affected CPU
-   - Performance impact of the mitigation: low

docker-compose.yml

@@ -1,3 +1,5 @@
+version: '2'
+
 services:
   spectre-meltdown-checker:
     build: